Tags

For five days in late March, the computers running most of Atlanta city government were frozen—shut down and held hostage by hackers who used ransomware, a pernicious way of extorting money. The attackers breached networks and hard drives. They locked up and encrypted the data. They changed file names to “I’m sorry” and gave its targets a week to pay with cyber currency. “We are dealing with a hostage situation,” Atlanta Mayor Keisha Lance Bottoms said at the time.

That nightmarish scenario is exactly what the officials who run state and local elections are seeking to prevent in spring primaries and especially next fall’s general election: a widespread disruption of voting in key locales and races, where the process is held hostage as the press, candidates, supporters and public impatiently demand results.

In recent days, there have been new revelations about the extent of 2016’s cyber attacks on voting, suggesting they were more widespread and varied than previously known. But even though these disclosures raise eyebrows, there is still no evidence that hacking changed 2016’s election results, even minutely. Moreover, election officials are taking unprecedented steps to secure voting in 2018, including using a range of backups.

“In most cases, there are protections and fail-safes to ensure that voters can still cast a ballot that will count,” said David Becker, founder and executive director of the Center for Election Innovation and Research, who previously led the team creating a data center now used by 23 states that has registered more than 6 million new voters since 2012. “Election officials are working hard to prevent and detect any potential attack. They are also successfully working to mitigate the effect of any attack, allowing for the voters to vote with confidence their votes will count.”

Becker notes nearly 80 percent of the U.S. is now voting on paper ballot-based systems—a percentage that is growing and cannot be hacked; more states than ever are conducting audits of vote-counting systems for accuracy; and more cyber-security protections than ever are being instituted, including planning for successful cyber attacks. Above all, he said that backup measures would be in place if electronic systems were attacked.“If a voter database or e-pollbook is hacked, for instance, paper voter registers and provisional ballots would be instrumental in protecting the vote,” he said. “There would be confusion, frustration, and delay, but with some patience, the election could go forward with integrity.”

Becker works with officials doing this behind-the-scenes planning and preparation. But the latest revelations about the extent and type of hacking attempts in 2016—and also in 2018—underscore the reality that cyber attacks on election infrastructure are here to stay. Americans may put the vote on a pedestal, but election systems are no different from other arms of government that also have been targeted by online interlopers.

New Revelations About Hacking Attempts

That conclusion is one takeaway from the Senate Select Committee on Intelligence just-released details on Russian-led cyber attacks on voting in 2016. Prior to this latest report, federal officials said 21 states had been targeted, but only one statewide voter registration database had been breached. A Florida contractor, who works for counties and states to maintain their election systems, also was targeted, possibly as a way into state systems.

“In at least six states, the Russian-affiliated cyber actors went beyond scanning and conducted malicious access attempts on voting related websites,” the Intelligence report said, enlarging what was previously known. “Russian-affiliated cyber actors… were in a position to, at a minimum, alter or delete voter registration data; however, they did not appear to be in a position to manipulate individual votes or aggregate vote totals.”

The Senate report was not the only vote hacking news. Top election officials in Alaska said a person with ties to a domestic hacker network got into the state website that posted the results on Election Night in 2016. Crucially, like the Senate report, Alaskan officials said the count was not affected. (That is because websites posting results are separate from voter registration databases as well as from the systems that tally votes).

Election officials know their computers are under attack. Since 2016, they have taken unprecedented steps as an industry to harden their systems. They have participated in war game-like training exercises with response drills, contingency planning, disaster recovery planning, public information strategies and more. They are also partnering with federal agencies and the National Guard to monitor networks and intruders on a weekly basis, and coordinate responses—so the public gets clear and consistent messages from government officials should a crisis interrupt voting.

But most of this prevention work is behind the scenes and not visible to voters. Ironically, that quiet work contributes to perceptions that voting is less secure than it is; a perception that gets magnified when the president repeats the lie that millions of people had illegally voted in 2016 for his opponent.

Hall said the election security was best achieved by taking a “layered” approach, which, in elections, means protecting the various component systems in elections—registration, tabulation, reporting results—and backups for each of those.

“I do think that the best election operations and the worst election operations are defined by their contingency planning,” he said. “Cyber security is a superb place for those that do a lot of contingency planning because layered defenses (called ‘defense-in-depth’ in computer security) are exceedingly important; after all, the attacker just has to find one way to break in, while the defender has to cover all potential ways that could happen.”

What Could Happen on Election Day?

So what would the public see if voting systems were attacked in the primaries or in the fall’s midterm election? And what would the official response likely be—if voters and the public were patient enough to heed official responses instead of falling prey to cries that their candidates’ votes were being stolen?

“Tonight, Our web servers suffered a successful denial of service attack. Election results were not affected… Our staff is working to contain the attack & continue releasing election returns atknoxvotes.org,” the county tweeted at 7:01 PM, one minute after the polls closed. Officials distributed printed results for the media, campaigns and public. In short, they relied on paper, and asked for patience.

But much more sophisticated planning has been underway since 2016. For example, teams of experts at the Defending Digital Democracy Project at Harvard University’s Belfer Center for Science and International Affairs, have prepared extensive risk analyses of voting system vulnerabilities and have led officials in mock attacks to respond behind the scenes and in public. The planning starts with a catalog of steps to backup and secure voter registration data and vote counting systems. It continues to include government officials clearly telling the public what is going on.

Belfer and others have been working with election officials since early 2017. Earlier this spring, the federal government appropriated $380 million for election security measures to assist in this task. The funds will replace the all-electronic systems still in use with paper ballot based systems. But that hardware replacement will not happen until after 2018’s elections because the procurement process is slow and officials don’t want to install new systems before high-stakes elections (where they’re learning to use them).

Thus, the biggest security risks for 2018’s election seem to fall into two categories, based on the known and attempted hacks—as cited by the Senate and others.

Those risks concern the accessing of voter registration databases and possible scrambling of polling place voter lists. That scenario could cause high-profile delays—causing the public to wait for hours, and be given so-called provisional ballots (which would then have to be individually verified before counting), and causing the Election Night announcement of the unofficial winners to be delayed.

Digging a little deeper into this scenario, one of the more vulnerable linchpins is not the statewide voter databases, per se, as they are managed by technicians. Rather, it is the use of electronic poll books—portable computers—to check in voters at polling places by the volunteer workers managing the process. According to a just-issued report by the U.S. Election Assistance Commission, nearly half of the nation’s polling place voters—47.7 percent—use e-pollbooks to check in before casting a ballot.

“E-pollbooks are definitely a bigger vulnerability,” said Hall, who then explained how tampering with e-pollbooks could become a big technical mess.

“We don’t have any idea how often these are attacked either,” he said. “Some of these are networked… which we hope are not on public networks or at a minimum are strictly access-controlled and encrypted in transit (which makes it much harder to attack without physical access to the device). Note that with physical access to a few e-pollbooks last August at the Def Con Voting Machine Hacking Village, we found, in a few minutes, 760k voter registration records for Shelby County, TN. So physical access is something we need to worry about with these devices, and that could be accomplished if these e-pollbooks are allowed to go home with poll workers or left in an insecure location.”

It is the job of technical experts like Hall to worry about every possibility, which is why his comments are filled with detailed possible scenarios. But where he lands is back in the world of paper, saying that the best safeguard is having accessible paper records—in this case precinct voter lists that can be used to check people in on Election Day.

If paper is the best safeguard on the starting line of the process on Election Day, it also is the best safeguard on the finish line—the casting of ballots. Federal law requires that all states have provisional ballots, which are backup ballots, ready at polling places. In the past, these have been used when someone’s name is missing from voter rolls and they show up, insist they are registered and demand to vote.

Thus, the most visible impact of Election Day cyber attacks would be the use of these ballots, which would slow down the process of checking people in, and delay counting the votes, possibly for days, which the public would likely find frustrating.

“I think there needs to be a contextualization of what would happen in the case of say, an e-pollbook being hacked in some way that people can’t vote as they would expect,” said Becker, when pondering what would unfold if the computer systems were compromised. “I think that’s where we take the deep breath. There are fail safes in place with provisional ballots and other means.”

“This isn’t going to be the end of the world,” he continued. “If somebody tampers with the voter registration databases or e-pollbooks, the very worst-case scenario would be a very large degree of confusion, delay, but it won’t affect the outcome as long as voters have some sense of patience. That’s the goal.”

Whether or not the public can be persuaded to be patient enough to wait for election results in our world of shrinking attention spans is another issue. But election officials are taking unprecedented steps to harden cyber security and deploy backup plans, steps they hope the public will appreciate and lead to greater confidence in the system.